Executive Summary

Introduction

Transport Canada (TC) is subject to the Government of Canada's legislative and policy framework for contracting including the Financial Administration Act, the Government Contracts Regulations, the Contracting Policy, and the Guidelines on the Proactive Disclosure of Contracts. The objective of government procurement is to acquire goods and services in a manner that enhances access, competition and fairness and results in best value or, if appropriate, the optimal balance of overall benefits to the Crown and Canadians.

TC's Director General (DG), Technology Information Management Services Directorate (TIMSD) is the functional authority for IM/IT and has established controls in the procurement process related to IM/IT. The Director, Materiel, Contracting, Security & Facility Management who reports to the DG, Finance and Administration has functional authority for contracting activities at TC. As the contracting functional authority, the Director is responsible for developing and implementing procurement strategies and policies and providing assistance and direction to TC managers and staff on all contracting issues.

In 2010/11, approximately $33M of IM/IT contracts were awarded by TC, which represents approximately 18% of all contracts awarded by the Department that year. It is expected that the value of the Department's IM/IT contracts will decrease as a result of: the transfer of email, data centre and network services to Shared Services Canada (SSC), consolidation of IM/IT project management, closure of the TC library and general budget reductions.

Audit Objectives & Scope:

The overall objective of the audit was to assess the adequacy of the control framework for procurement of IM/IT goods and services and to provide assurance as to the extent to which those controls are respected. At the time of this audit, TC was beginning to transition its IM/IT management model to a more centralized approach as directed by the Department's Executive Committee and to align with the government-wide centralized approach established by Shared Services Canada. This audit also serves to identify strengths and weaknesses of current controls in place to procure IM/IT related goods and services which will help inform the Department as it transitions to a more centralized approach to manage IM/IT and procure IM/IT-related goods and services.

As many aspects of procurement governance and risk management cover all types of procurement, and are not strictly limited to IM/IT procurement, many of the findings and recommendations found within this report are applicable to all types of procurement.

Conclusion

The audit found the management control framework for IM/IT contracting to be adequate Footnote 1, i.e., most practices/processes are in compliance with Government of Canada and Transport Canada policies and directives. However, the audit also found that there are opportunities for improvement, particularly with respect to governance and risk management practices.

The Department should identify risks related to contracting and procurement to better define its key controls and the information needed to support effective departmental oversight. The Department is taking steps to address gaps in governance with the recent establishment of a senior procurement review management committee but the committee's current mandate covers procurement planning, not the award, management or close-out phases. Especially now, when spending is being reduced across government, it is vital that there be effective, senior-level oversight of all phases of procurement.

Statement of assurance/reliance

It is our professional judgment that the audit has been conducted in accordance with the Internal Auditing Standards of the Government of Canada. Satisfactory audit procedures have been conducted, and sufficient relevant evidence has been gathered to support the accuracy of the opinions provided in this report.

Transport Canada (TC) is subject to the Government of Canada's legislative and policy framework for contracting including the Financial Administration Act, the Government Contracts Regulations, the Contracting Policy, and the Guidelines on the Proactive Disclosure of Contracts. In June 2003, Treasury Board Secretariat issued a revised Treasury Board policy on contracting.

The objective of government procurement is to acquire goods and services and to carry out contracting in a manner that enhances access, competition and fairness and results in best value or, if appropriate, the optimal balance of overall benefits to the Crown and Canadians. The Policy states that Government contracting shall be conducted in a manner that will:

stand the test of public scrutiny in matters of prudence and probity, facilitate access, encourage competition, and reflect fairness in the spending of public funds;

ensure the pre-eminence of operational requirements;

support long-term industrial and regional development and other appropriate national objectives, including Aboriginal economic development; and

comply with the Government's obligations under the North American Free Trade Agreement, the World Trade Organization's - Agreements on Government Procurement and on Internal Trade.

IM/IT contracts are awarded to purchase both goods and services. IM/IT goods include hardware, software and user licences. Services are purchased to develop, maintain and support the Department's systems and infrastructure. Services acquired to develop or enhance a system generally come from capital funding while services related to system support and maintenance come from operating funds. Lower dollar value goods, i.e. less than $10K, as directed by TB such as monitors and laptops are generally classified as operating and larger dollar items such as software are classified as capital.

In 2010/11, approximately $33M of IM/IT contracts were awarded by TC which represents 18% of all contracts awarded by the Department. It is expected that the value of the Department's IM/IT contracts will decrease as a result of the transfer of email, data centre and network services to Shared Services Canada (SSC), consolidation of IM/IT project management, closure of the TC library, and general budget reductions. The following provides information on the breakdown of the contracts.

Table 1

Type

Goods (hardware, software)

Professional Services

Total

Capital Funds

$ 6,833,832

$ 6,381,294

$ 13,215,127

Operating Funds

$ 8,497,417

$ 11,949,634

$ 20,447,051

Total

$ 15,331,249

$ 18,330,929

$ 33,662,178

TC's Director General (DG), Technology Information Management Services Directorate (TIMSD) is the functional authority for IM/IT and has established IM/IT procurement controls. The Director, Materiel, Contracting, Security & Facility Management, who reports to the DG, Finance and Administration has functional authority for contracting activities at TC. As the functional authority, the Director is responsible for developing and implementing procurement strategies and policies and providing assistance and direction to TC on all contracting issues.

Not all contracting of IM/IT goods and services at TC is centralized. Generally, IM/IT service related contracts are prepared by the Contracting Services group in the National Capital Region (up to $4M) and IM/IT goods related contracts are prepared by Responsibility Centre Managers and/or TIMSD (up to $25K or value of standing offer). Contracts that exceed the values noted above are prepared for TC by Public Works and Government Services Canada (PWGSC).

The overall objective of the audit was to assess the adequacy of the control framework for procurement of IM/IT goods and services and provide assurance as to the extent to which those controls are respected. It is important to note that, at the time of this audit, TC was beginning to transition its IM/IT management model to one which is more centralized and to align with the government-wide centralized approach established by Shared Services Canada. This audit also serves to identify strengths and weaknesses of the current controls in place to procure IM/IT related goods and services which will help inform the Department as it transitions to a centralized approach to manage IM/IT and procure IM/IT-related goods and services. As many aspects of procurement governance and risk management cover all types of procurement and are not strictly limited to IM/IT procurement, many findings and recommendations in this audit apply to all types of procurement at TC.

The planning for this audit consisted of interviews and examination of policies and procedures to document the risks and controls for IM/IT procurement. Building on the information gathered during the planning phase, the conduct phase focused on assessing the operating effectiveness of key IM/IT procurement controls in place for the four phases of contracting: planning, contract award, contract management and contract close out. The audit examined both contracting authorities' and Responsibility Center Managers' responsibility for the planning phase, which is a shared responsibility. The contracting authority is responsible for selecting the appropriate procurement instrument and the Responsibility Center Manager is responsible for justifying the need and providing a Statement of Work. The contract award phase is the responsibility of the contracting authority; the contract administration and contract close out phases are the responsibility of the Responsibility Center Manager.

To ensure broad coverage of higher risk contracts (expenditures greater than $200K), a judgmental sample of 15 IM/IT contracts of a possible 31, all from the National Capital Region were examined. Total value of expenditures of the sample was $8M (of $30M) which represents 26% of all IM/IT contract expenditures for 2010/11.

The scope of this audit excluded IM/IT related Temporary Help Services as these will be examined in a separate audit. In 2010/11, these IM/IT expenses totaled $2.8M.

The following sources were considered in establishing the audit criteria:

Financial Administration Act (FAA)

TBS Contracting Policy (January 1. 2003)

TBS Guidelines on the Proactive Disclosure of Contracts

Core Management Controls from the document Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, developed by the Office of the Comptroller General

TC contracting policies and procedures

Information Systems Audit and Control Association's Control Objectives for Information and related Technology (COBIT) framework

The 2009 report on the Review of the Procurement Challenge and Oversight Function by the Office of the Procurement Ombudsman (OPO) was used as a benchmark.

Based on the above we expected to find the following:

Governance

Accountabilities, responsibilities and authorities of key parties within the IM/IT procurement process have been well defined, communicated and understood.

A procurement challenge and oversight process has been established and functions effectively.

IM/IT procurement is monitored and measured in support of accountability and continuous improvement.

Risk Management

IM/IT procurement risks are identified, assessed and managed in a standardized manner.

Procurement Process Controls

The procurement process ensures that the planning phase and the contract award are conducted in a fair, open and transparent manner.

Contracts are managed to ensure the services performed or the goods received meet the contract terms and conditions.

The contract close-out phase addresses all outstanding financial, performance and administrative issues prior to the final payment.

Control areas were assessed for the adequacy of their design and their operational effectiveness.

It is our professional judgment that this audit was conducted in accordance with the Internal Auditing Standards of the Government of Canada. Satisfactory audit procedures were developed and sufficient relevant information was gathered to ensure the accuracy of the opinions expressed in this report.

Planning and conduct phases of the audit were completed between December 2011 and May 2012. The reporting phase, including fact verification, was completed in May. The audit was conducted in-house using departmental audit staff. During the planning phase, to understand the IM/IT procurement process, the audit team interviewed several TIMSD staff members and contracting staff. Detailed audit criteria were developed and are outlined in Appendix B.

During the conduct phase, to assess the effectiveness of IM/IT procurement governance, risk management and controls, the audit team interviewed TIMSD, Contracting staff and Responsibility Center Managers responsible for managing the sample contracts, and examined contract documentation. Contract documentation was assessed against the criteria identified in the planning phase.

Conclusions and recommendations to address opportunities and gaps described in the findings section are provided in the Conclusions and Recommendations sections.

The Recommendations section includes a Management Response and Action Plan (MRAP) from the Department. The MRAP gives management's response to the audit recommendations, and commitments and timelines for addressing identified weaknesses or gaps.

Findings are grouped into three areas: Governance, Risk Management and Procurement Process Controls. Governance and risk management findings are primarily based on the audit team's examination of the Department's policies and practices. These apply broadly to departmental procurement activities since many of the controls and processes related to procurement are not unique to IM/IT. A sample of IM/IT contracts were examined to test the effectiveness of controls in place over planning (pre-contract), award, management and close out of contracts.

The audit found the management control framework for IM/IT contracting to be adequate (see Appendix A for conclusion scale definitions), i.e., most practices/processes are in compliance with Government of Canada and Transport Canada policies and directives. However, the audit also found that there are opportunities for improvement, particularly with respect to governance and risk management practices.

An effective procurement oversight function, including a challenge function, is key to ensuring sound management of government procurement. For senior management to play an effective challenge and oversight role, a clear understanding of the Department's procurement spending practices and trends is necessary.

The TB Contracting Policy states that departments and agencies are responsible for ensuring that adequate control frameworks for due diligence and effective stewardship of public funds are in place and working. The Policy also encourages contracting authorities to establish and maintain a formal challenge mechanism for all contractual proposals and recognizes that this mechanism could range from a formal central audit board to divisional or regional advisory groups, depending on the departmental organization and magnitude of contracting.

Limited senior level challenge and oversight of contracting in the Department.

Oversight and challenge of contracting activities takes place mostly at the contract level with Responsibility Center Managers and the contracting specialists. TIMSD also plays a role in the challenge of IM/IT service related contracts. However, the audit found challenge and oversight of contracting activities at the senior level in the Department to be limited. Without an adequate senior level oversight and challenge function, there is a risk that the contracts entered into will not support departmental priorities and provide the best value to the Department.

TC has two procurement committees. The first, the Contract Review Committee, chaired by the DG, Finance and Administration with DG-Director level members from across the Department has been in place since 1996. According to the Committee's Terms of Reference, its mandate is, "the review and challenge of contracting situations that could be interpreted as inconsistent in terms of the government's competition policy or trade agreements, or require the approval of the Deputy Minister, Minister or Treasury Board; for the resolution of disputes between a contractor and the Department; and for the review of matters referred to the Contract Review Committee by departmental senior management."

During 2010/11, the committee reviewed 17 submissions pertaining to all types of contracts; only one was IM/IT related. Over half of the submissions related to contractual arrangements made without the prior approval of a departmental contracting authority (including cost overruns). Six of the submissions related to sole-source contracts over $25K.

The second committee is the Senior Procurement Review Committee (SPRC) which was recently established in December 2011 (after the timeframe of the sample contracts examined by the audit). The SPRC is an ADM-DG level committee with a mandate to review professional services requirements related to operational requirements and to provide TC with improved oversight of procurement planning, priorities and expenditures. (See Appendix C for the Terms of Reference). The Committee was established to provide a challenge function and make recommendations to group heads (e.g., ADMs, RDGs) on outsourcing requirements. It is not a decision making body.

With the establishment of the SPRC, the Department is taking steps to improve challenge and oversight at the senior departmental level. While recognizing that the committee is in its early stages, the audit did observe opportunities for the Committee to consider as they formalize their role. For example, the scope of the Committee's review does not include professional services contracts related to capital projects. Given the significant issues found in the recent internal audit of IM/IT project life-cycle controls, it would seem these types of contracts could be considered to be at higher risk and it may be beneficial for the Committee to review them as well. Even if improvements to monitoring IM/IT capital projects by the Department's Project Oversight Secretariat are implemented, as recommended by the previous audit, monitoring IM/IT contracts by this Committee would provide more information about scope, schedule and cost related changes than do current project monitoring reports.

The new Committee has established a standard form for submissions. The Committee's ability to play an effective oversight role could be improved by requiring more comprehensive information, such as a complete history of the contract (e.g., the number and value of past amendments) or information about other contracts or previous contracts related to the work to be addressed by a new contract.

The reporting and monitoring role of the Committee has not been defined. Based on interviews, the SPRC plays a challenge function upfront but does not extend past the procurement planning phase. The Committee's Terms of Reference, however, does make reference to reporting on a semi-annual basis but, as the Committee is relatively new, it is still in the process of defining the reporting process and content. At the conclusion of this audit, the SPRC was scheduled to report to the Transport Canada Executive Management Committee (TMX) on observations and results from its first six months in operation and it is expected that TMX will provide direction on the adequacy of the information being reported and whether additional information is required.

In 2009, the Office of the Procurement Ombudsman reviewed the procurement and challenge function at the senior departmental level across government (TC was not included). The review examined practices of departmental committees responsible for the procurement challenge and oversight function and identified effective practices that could be adopted by government departments. As a result of the review, the Office of the Procurement Ombudsman identified 10 essential characteristics of an effective oversight committee. For information purposes, a comparison between the essential characteristics of a procurement committee identified by the Office of the Procurement Ombudsman and TC's SPRC is provided in Appendix D.

Reporting of contracting activities at TC is limited and there are opportunities to improve the efficiency and effectiveness of the reporting process.

A challenge in carrying out this audit was the lack of readily available contracting information. Although some data was in place (e.g. the number and value of IM/IT contracts awarded), the audit team had to perform considerable work to create meaningful information. Some key data was not possible to obtain through the Department's financial system such as the contract type (e.g.Task-Based Informatics Professional Services; Professional Services Online). It was observed during the audit that there were opportunities to enhance reporting capabilities of the Department's financial system to ensure key data is available on an on-going basis. For example, drop down lists already set up in the financial system could be updated and fields for inputting key information could be made mandatory. The audit team was informed that the planned upgrade of the financial system would address these deficiencies and that after the completion of the upgrade (scheduled for June 2012) standardized reports would also be created.

TBS contract reporting requirements and Access to Information (ATI) requests are the only regular departmental contracting reports being produced at TC. Information from these reports is not used to monitor contracts at a departmental level. Producing these reports is time consuming and involves many manual steps, increasing the risk of errors. For example, the process to prepare the mandatory "proactive disclosure" reports quarterly, for all contracts in excess of $10K, involves a long series of manual steps. Upon review of the reports issued for fiscal 2010/11 some errors were observed. For example, the contract value was incorrect as it included GST instead of including HST and, in other cases; amendments were not identified potentially misleading the reader to believe the amount awarded was greater than the actual amount.

Proactive disclosure reports examined as part of this audit were prepared by a former employee retained on contract and there was no documented approval by a TC employee/supervisor prior to the reports being posted publicly. Based on interviews, the responsibility for this task has recently been assigned to a full time TC employee and some of the manual steps in preparation of the report have been reduced. It is expected that the upgrade of the financial system will further reduce the number of manual steps.

Automated controls have been set up in the Department's financial system to monitor if contracts are set up outside approved authorities and it is to alert contracting staff. It was observed that in 2010/11, there were 881 alerts; however, only 1% related to purchase orders/contracts set up outside delegated authorities. It is time consuming for staff to follow up and clarify each alert. Contracting staff have stated that the alert capabilities within the system are limited and can not accommodate all of the various delegated authorities associated with procurement (e.g. different levels of authority for procuring goods vs. services, standing offers vs. supply arrangements).

In some cases, documented roles and responsibilities differ from actual practice.

The Department's documented policies and procedures for procurement are clearly written. While the policies and procedures have had some updates over the past few years, they have not been fully reviewed and updated in a number of years and the audit identified some that are out of date and some gaps.

Also, there are differences between contracting staff responsibilities outlined in job descriptions and the actual practices of contracting staff. For example, responsibility for monitoring contracts and contractor performance evaluations is the responsibility of the contracting specialists according to the job descriptions; however, in practice Responsibility Center Managers are responsible for these activities. Contracting specialists do not perform any specific monitoring of contracts. The audit team was informed that the job descriptions for contracting staff have been updated and approved by a Classification Committee.

There is no process to track information on contractor performance and incorporate it into future contracting decisions.

Responsibility Center Managers are responsible for managing contractor performance and taking appropriate action if a contractor is not meeting obligations/requirements of the contract. According to the procedures outlined on the Materials and Contracting section of the Department's intranet, Responsibility Center Managers are instructed to keep contractor performance evaluations on file. The evaluations are to include a general description of the work and observations of the quality of the work done. However, there is no process to monitor that evaluations are being done and to gather the results to support future contracting decisions. Potentially, there would be value in collecting performance evaluations related to large and complex projects to provide the Department with valuable lessons learned.

Approach to risk management within the contracting process is informal.

The Department's approach to risk management of contracting activities is essentially a rules-based approach. Reliance is placed on the experience of contracting specialists to identify potential risks. There have been no contracting-related risk assessments performed in recent years. Criteria have not been developed to identify higher risk contracts that would warrant close monitoring.

The lack of formal risk management practices precludes having effective, yet not too many, controls in place, and makes it difficult for senior management to determine the required level of oversight and monitoring. A comprehensive assessment of the risks for the procurement process would determine the level of required control, the information needed for effective oversight, and would help support value for money decisions.

TC utilizes a number of service related contracts to meet IM/IT operational needs (i.e. applications support and maintenance).

The audit found justification for the purchase of operational IT goods (i.e. monitors, laptops, etc) as these purchases are tied to a formal replacement plan and approved budget allocations. As well, goods and services contracts related to capital projects were linked to approved, capital project funding. It was observed that there are a number of IM/IT professional service contracts in place to meet on-going operational needs. Although these contracts tie back to approved budget allocations, there is no standardized requirement or process to formally document and demonstrate that contracting is the best or most cost effective means to meet these on-going operational needs.

In interviews, TIMSD acknowledged the continued reliance on contractors and provided evidence to support that over the past several years, some actions have been taken to reduce/eliminate the use of contractors for certain types of positions. For example, some positions previously resourced by contractors are now filled by TC employees.

Appropriate contracting instruments were used for the sample contracts examined.

Although information on the types of procurement instruments associated with the contracts awarded in 2010/11 was not available from the financial system, interviews with procurement staff indicated that PWGSC's Task-Based Informatics Professional Services (TBIPS) and Professional Services Online (PS Online) were the most commonly used procurement instruments. Larger contracts that did not fit with the requirements of TBIPS or PS-Online were tendered through MERX.

TBIPS is a procurement instrument established by PWGSC and is used to address a specific IM/IT need. The maximum value of standing offer TBIPS contracts is $250K and the maximum value of a supply arrangement TBIPS contract is $2M. TBIPS requirements are related to a particular activity required to address a specific IM/IT need and usually associated with a specified set of responsibilities. Tasks involved are finite work assignments that require one or more consultants to complete. A task involves a specific start and end date and set deliverable. PS Online is an automated purchasing tool which enables suppliers from across Canada to qualify in a database used by Federal Government Departments and Agencies to identify potential pre-qualified suppliers for government professional services requirements when the value is less $78.5K. MERX is an online electronic tendering service. It is used to obtain competitive bids when a particular need does not fit within one of the established PWGSC procurement instruments. For the service related sample contracts, (12 of the 15 sample files) six were TBIPS and six were done through MERX. Of the remaining three sample contracts related to the purchase of goods, two were done through standing offers established by PWGSC and one was through MERX.

All service contracts in the sample had a statement of work that had been reviewed by TIMSD.

Defining the requirements for a contract is a key element of a successful procurement process. Identifying the needs and carefully developing the requirements can minimize the need for changes later and is fundamental to contracting fairness, transparency and value for money.

A Statement of Work (also referred to as a Terms of Reference) is required for every IM/IT service contract and this Statement of Work must be reviewed by TIMSD prior to the initiation of the contract from a technical perspective (e.g. security, architecture) in consideration of the reasonableness of the requirement including the skill level of the resources being requested. All of the sample service contracts had a Statement of Work that had been reviewed by TIMSD. Based on an examination of the comments and exchanges between the contracting group and TIMSD for the files sampled, there was evidence of a robust challenge function between the two groups. It was observed that although the Statement of Work was reviewed by TIMSD, the final approval of the Statement of Work (i.e. after comments were addressed) was not documented. In late 2011, TIMSD enhanced the Statement of Work review process by implementing a formal tracking tool to document Statements of Work reviewed, track comments and document final approval after all comments and questions have been addressed.

Although Responsibility Centre Managers, contracting staff and TIMSD are aware of the requirement to have the Statement of Work approved by TIMSD, this control is not currently documented within the procedures.

Not all sample contracts had documentation on file to support that the source of funding had been appropriately approved prior to the issuance of the contract.

Section 32 of the FAA provides the authority to commit funds against an appropriation before the expense is incurred. Contracting staff are required to confirm that Section 32 has been approved prior to the initiation of a contract. Upon examination of the sample files, it was observed that three of the sample contracts prepared by the contracting group did not have documentation on file to provide evidence that a source of funding had been confirmed via Section 32 approval. However, it is important to note that there are automated controls to ensure that Section 32 approval is completed prior initiating a contract. Based on discussions with the Department's contracting specialists, it was stated that the requirement to maintain evidence of Section 32 approvals was not clear when the approval process first changed from a manual signed form to an electronic approval but that as of July 2011, a process had been established to maintain file evidence of Section 32 approvals.

With one exception contract sample files had signed bid evaluations.

Completed and signed bid evaluations are essential to support that the bid assessment process was fair and transparent. All sample contracts (applicable to 13 contracts in the sample) had developed criteria for evaluating bids. One of the sample contracts did not have a completed and signed detailed evaluation form for bids; however, the audit team was provided with a summary of the evaluation.

With one possible exception, contracts were approved by the appropriate contracting authority.

The contracting authority for 11 of the 15 contract files in our sample was the contracting group in NCR. PWGSC was the contracting authority for the other four files. For 10 of the 11 files authorized by the contracting group in NCR, copies of appropriately authorized contracts were provided to the audit team. For one of the contracts, the signed copy of the contract could not be located and the audit team could not verify if it had been signed by the appropriate contracting authority. However, the audit team was provided with a copy of the contract award letter that was signed by the contracting manager, who did have authority to enter into the contract.

Other than Section 32 approvals, there is no TC documented policy or process on amendments and there is no senior level oversight and monitoring of IM/IT contracts related to capital projects.

There are no standard reports available providing comprehensive contracting information including contract amendments and there is no related senior level oversight and monitoring. The audit team spent considerable time collecting information to review and analyze the contract amendments related to the sample files selected. For the 15 sample contracts, there were 34 amendments. Of these, half were related to increases in the total estimated cost of the contract and in a few cases these increases were significant, in one case in excess of 500% over the original contract of value of $367K. Contract documentation suggests these amendments were due to changing business functionality requirements. The remaining 17 related to changing contractor resources, exercising pre-defined options to extend a contract and contract completion date changes. Of the 17 financial amendments to contracts, 10 related to scope changes from the original contract (all capital projects, eight of which related to a single capital project for application development) and seven were for additional resources to complete the original project scope.

Based on interviews with contracting staff, an informal guideline related to amendments has been established at TC (i.e., a contract should not be amended to more than 50% of its total estimated cost). If it is in the best interest of the Department to amend a contract beyond the 50% guideline, a business case is to be provided. But it is unclear as to who is to review and approve the business case before the amendment can proceed. Two of the sample contracts had amendments that were greater than 50%. Business cases were provided by the contracting staff but not all information in the business case could be tied to the amendments and there was no indication of who reviewed and approved the business cases. In addition, there is no process in place to ensure that TIMSD is made aware of any amendments to IM/IT related contracts which is a gap given the significant changes that can and are made to the scope of IM/IT capital projects. This limits the effectiveness of the role TIMSD can play to provide project oversight.

As well, the SPRC's current challenge and oversight role focuses solely on the initial procurement planning phase. Furthermore the committee does not review IM/IT capital related contracts and and therefore there is no senior level monitoring of all IM/IT related contract amendments. This limits the Department's ability to identify, monitor and manage potentially higher risk contracts.

All of the invoices examined for each sample contract found appropriate Section 34 approval. Some opportunities were identified to enhance the monitoring process.

A sample of 46 invoices related to the contract sample was examined for appropriate Section 34 approval. The total value of the 46 invoices was approximately $4.5M (approximately 64% of the sample contract expenses for fiscal 2010/11). All 46 invoices had appropriate Section 34 approval based on the signature cards provided by Finance.

The audit team was informed by Finance that invoices for time-based contracts are to be supported by timesheets and that timesheets must be signed by both the contractor and a supervisor (who must be a TC employee); however, these procedures are not documented.

Of the 12 contracts for services, nine were time-based contracts that were monitored through the use of contractor timesheets. While performing the Section 34 testing the audit team did observe a few exceptions to the requirements noted above. For example, for one contract the timesheets were approved by a contractor and not a TC employee. In a few other instances timesheets were not attached to the invoices or the contractor had not signed the timesheets.

In July 2011, procedures were issued regarding the use of a standard timesheet for IM/IT related contracts; however, interviews with Responsibility Center Manager's indicated that the majority were not familiar with the requirement.

Improvements are needed in the file close-out process.

Procurement files should be established and structured to facilitate management oversight with a complete audit trail that contains contracting details related to relevant communications and decisions including the identification of officials and contracting approval authorities.

Although a checklist has been developed to ensure all requirements are met for a contract and kept on file, contracting staff did not follow their internal procedures to complete the checklist. None of the 11 contract files prepared by the contracting group in the National Capital Region had a completed checklist, which is significant since the checklist is the only quality control mechanism available to them.

It is important to note that the retrieval of the contract documentation in support of the audit was an onerous task for the contracting team as it took a considerable amount of time for the documentation to be collected and provided to the audit team.

The audit found the management control framework for IM/IT contracting to be adequate (see Appendix A for conclusion scale definitions), i.e., most practices/processes are in compliance with Government of Canada and Transport Canada policies and directives. However, the audit also found that there are opportunities for improvement, particularly with respect to governance and risk management practices.

The Department should identify risks related to contracting and procurement to better define its key controls and the information needed to support effective departmental oversight. The Department is taking steps to address gaps in governance with the recent establishment of a senior procurement review management committee but the committee's current mandate covers procurement planning not the award, management or close-out phases. Especially now, when spending is being reduced across government, it is vital that there be effective, senior-level oversight of all phases of procurement.

It is recommended that the ADM, Corporate Services with the support of the DG, Finance and Administration and the DG, Technology & Information Management Services:

#

Recommendation

Detailed Management Action Plan

Completion Date (for each action)

OPI direct report for each specific action

1

Recommendation Rating - Medium

Perform a risk assessment on departmental contracting activities and tailor controls to risks.

The risk assessment should consider both the likelihood of known risks occurring and their potential impact (should they materialize) against the achievement of defined strategic and operational contracting and procurement objectives. The risk assessment will inform the level of control required, information needed for effective oversight and it will help ensure that limited funds are put to the best possible use.

A risk assessment on departmental contracting activities will be completed based on the life cycle of the procurement process: from requirements definition through to contract close-out. This assessment will address components similar to the PWGSC Procurement Risk Assessment model.

The assessment will focus on several key areas of the procurement process such as requirements definition, procurement strategy, financial components, etc to determine areas of risk.

The outcome of this assessment will be used to identify the areas of greatest risk in the procurement life cycle and to determine how best to address the risk. Strategies may range from risk acceptance to the development of mitigating strategies, internal conrols or governance oversight, as required, to address action items 2 through 4.

A report of this assessment will be presented to the Department's Executive Management Committee (TMX) for discussion and direction.

December 2012

DG F&A

2

Recommendation Rating – Low

Update contracting policies, procedures and practices.

Ensure that policies, procedures and practices that form the Department's contracting management control framework (MCF) are updated to address the gaps and weaknesses identified in this report and ensure there is alignment to the risk assessment. The responsibility for the monitoring of controls should also clearly be defined.

Policies and procedures will be up-dated to address the gaps and weaknesses identified by the audit report and the risk assessment. Refer to action item#1.

June 2013

DG F&A

3

Recommendation Rating - Medium

Strengthen challenge and oversight of contracting activities.

Review the current challenge and oversight activities in the Department against Treasury Board (TB) policy, Office of the Procurement Ombudsman (OPO) benchmarks for challenge and oversight committees as well as the results of the risk assessment and determine if the roles of the existing procurement committees (Contract Review Committee and Senior Procurement Review Committee) should be expanded or if other means should be used to address gaps in oversight and monitoring. This review should also define the information necessary to support effective departmental level challenge and oversight.

Options will be examined to strengthen the challenge and oversight of contracting activities for discussion and decision at the department's Executive Committee (TMX). Refer to action item #1.

March 2013

DG F&A

4

Recommendation Rating - Medium

Define all reporting requirements and ensure complete and accurate reporting.

Based on the risk assessment define the core information needed to be collected to support effective corporate oversight and government reporting requirements. Develop clear data collection and entry procedures and perform effective quality control to ensure complete and accurate reporting, especially public disclosure information required to be posted publicly on a quarterly basis.

Reporting requirements will be discussed at the department's Executive Management Committee (TMX) which will then guide the development and promulgation of data collection/data entry procedures to ensure effective reporting for both information purposes and for decision making.

Ensure that IM/IT contracts related to on-going operational needs have a benefit analysis. Although each proposal will have some unique characteristics, information required should nevertheless be standardized, and benefit analyses should include both quantitative and qualitative information. Develop an appropriate process to review and approve these justifications (e.g. TIMSD, SPRC, etc).

A justification template specific to on-going operational needs will be developed. This template will form the standardized means for capturing and positioning the required quantitative and qualitative information to support the review process and demonstrate whether a contracting approach is the best or most cost effective means to meet the on-going operational need.

The current process in place between Contracting and TIMSD to review and approve IM/IT service related contract requests (regardless of whether these are capital or OOC driven) will be adjusted to ensure all justifications are first vetted by TIMSD prior to seeking SPRC approval. This will ensure as a minimum an alignment of all capital and on-going operational requests to priorities, investment and other departmental planning processes prior to SPRC review.

October 2012

DG TIMSD

Note: Each recommendation has been assigned a rating based on the rating scale found in Appendix E.

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet: